Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Using the bucket command, why doesn't one bucket range appear?

rana_nour
Explorer
‎07-13-2015 05:46 AM

I have a search that categorizes results according to the response time and buckets them in 1000. I have 0-1000 and 1000-2000 and 3000-4000 and so on. It appears perfectly, but I never have 2000-3000 appear any help?

index=gasf  host="*hub-vpn*" uri_path="*default.aspx" referer!="*SSOLogon*"  | rex "(?<response_time>\d+)\s[\-\+]$" | eval resTimeInMS=round((response_time/1000),2) | bucket resTimeInMS span=1000   | timechart span=15m c by resTimeInMS usenull=f
Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎07-13-2015 07:34 AM

It does not appear because you have no values. The fillnull directive applies to the axes, not to the number of lines in the chart. Your 'by' field is resTimeInMS so the lines plotted will be only those for which this field has values. Think about it: if you were plotting by host how would you expect timechart to "fill in gaps" in host values? The only way to solve this is to use append to force each range value to have an entry by appending exactly 1 event in each 15-minute span and then subtracting one from each before you plot it. I will have the implementation of this solution as an exercise for the OP.

0 Karma
Reply

jeffland
SplunkTrust
SplunkTrust
‎07-13-2015 06:31 AM

If you leave the bucket out of your search, is there data in that range?

0 Karma
Reply

otman01
Communicator
‎07-13-2015 06:01 AM

its probabely to not get all captions, but do you have some data presented in this graphe for this interval right?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...